We happen to have just had one (well I think 2) of these installed, and it's still being tuned. Our moodle server is exposed to the net via Microsoft TMG reverse proxy, and they just let TMG through the firewall the same as the old firewall. Internally DNS points to the server directly, and we've not had any trouble of the sort you describe since they switched it in (a week or so ago now). The only issue initially was they forgot to put that server into a 'servers which can go online with no users logged into them' group, so it couldn't talk to turnitin, but they fixed that quickly when we spotted the issue on the first working day after it was switched on.
I can tell you who deployed ours (Stay Logical) - I can't guarantee a free answer, but he may be able to give pointers (ask for Jody).
I have seen it get a bit pinicky as it's more a threat management system and tries to scan everything you're doing (unless, like our servers, they have outbound to anything). And it's doing proxy duties now (we had websense before, though most of the time it was more webNONsense).
Maybe ask for some kind of rule to be created for your moodle traffic so it allows it all? We've seen our old proxy need rules setting up to prevent issues like that.